THE

Packet filtering is an important skill when capturing and managing large network dumps. There are several tools and techniques used to simplify searching and extraction of useful data from captured data.

TCPDUMP

tcpdump can be configured to only capture traffic according to specified filter. To include a filter append a quoted filter string in the command line. Here is a simple example to capture LIVE packets coming to and from 192.168.1.10:

tcpdump -i eth0 -ttttnn "host 192.168.1.10"

In case you need to filter a previously saved pcap file (e.g. produced by tcpdump -w capture.pcap -s 1550), you can utilize -r flag combined with the same filter:

tcpdump -r capture.pcap "host 192.168.1.10"

It is recommended to use the following commandline to speed up reading existing pcap files. This will clean up the timestamp and avoid name resolution:

tcpdump -ttttnnr capture.pcap "host 192.168.1.10

tcpdump man pages include complete filter syntax; however, here are some of the more useful ones:

Byte Offset Filtering

icmp[0]=8 or icmp[0]=0 – look at the first byte of ICMP packets and capture types 8(echo) and 0(echo reply)
tcp[0:2]=80 and tcp[13]=0x02 – capture packets coming from port 80 (first 2 bytes) with SYN flag (0x02)
tcp[13] & 0x02 = 2 – capture packets with SYN flag present (other flags could also exist like 0x12 SYN-ACK will work). By anding tcp[13] with a mask 0x02 you drop all elements except the second bit from the right. Next you compare it with a value of 0x02 which has 2nd bit set to find out if the original bit was set in the first place.

Viewing custom fields

Capture filter

tshark – I eth0 –n –tad –f “tcp dst port 80”

The above command will only capture tcp traffic going to port 80. See TCPDUMP for complete documentation.

Read (Display) Filter

Read filters allow a lot more flexibility and power compared to libpcap filters. However, due to performance considerations you should not rely completely on read filters as they perform complete packet dissection. Instead use read filters for fine tuning. Below is an example to display all traffic to or from 192.168.1.10:

Network traffic analysis is an important ingredient of a good iOS app pentest. The article covers several common approaches to iOS specific data interception such as network proxying, defeating network encryption, traffic injection and others. Read more.